Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/rubygems@3.6.6-1?distro=trixie
purl pkg:deb/debian/rubygems@3.6.6-1?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-n1ja-n53g-fycm URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability. CVE-2025-27221
GHSA-22h5-pq3x-2gf2

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T10:06:10.427539+00:00 Debian Importer Fixing VCID-n1ja-n53g-fycm https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T06:46:58.244573+00:00 Debian Importer Fixing VCID-n1ja-n53g-fycm https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:52:26.673769+00:00 Debian Importer Fixing VCID-n1ja-n53g-fycm https://security-tracker.debian.org/tracker/data/json 38.1.0